Month: March 2006

Jimmy Daniels has done an interview with a former 180solutions employee. Everyone should check it out. click here

Jimmy: Being on the technical side of it, I would imagine you’ve had to uninstall 180 many times from family and friends pc’s, as I have. Got any good stories there?

ex180: Uninstalls? Yeah. I’ve taken it off my neighbors computer a couple times He has three girls and it finally got so bad that I rebuilt his laptop and installed vmware, then decreed that he was the only person in the house allowed to use the computer without starting vmware first and surfing from it. He backed it up and has been happy ever since. I remember my first embarrassing experience was my fifth day at the company… I got a call from a non-technical co-worker at my previous job to help her uninstall n-case. She knew who I went to work for and it was before the uninstallation stuff was so widely available on the web. That was humiliating… I was like, “wow… people warned me about this place before I came and here’s so-and-so needing help to get this crap off her machine”. Ouch.

Eric Sites
VP of Research & Development
Sunbelt Software

Here at Sunbelt we come across a lot of personal information stolen by keyloggers, trojans that go after your protected storage data, and phishing scams. So what do the bad guys do and know about your bank account when they have that information?

Here is a conversation we came across while doing malware research that everyone should know about:

Barclays Question

I have some questions regarding Barclays bank drop cashing, hope everyone can help.

1. Is it true that it requires one business day(next day)to complete the transfer if I do online transfer to another Barclays drop? Or will it do instantly like Boa and Wells Fargo?

2. Is it ok if I use a personal Barclays drop and cashout 10k+ balance from a business login? Or do I need business Barclays drop in this case?

3. In term of risk, is there any different between cashing 2k and 10k from the bank? I mean is there any requirement if I cash large sum of money compare with small amount cashing?

Thanks in advance.

Yep it takes 1 Working Day for the Transfer to be Cleared. if you do it befor 6pm on a working day it will be in the account nextday. if you do the transfer after 6pm it will take 2days to clear. hope that helps

You need to know barclays limit is xxxxxxx[amount removed] pounds.

if you go over this amount the bank will phone and u must have full info of login to cash it and answer the bank.

xxxxxx[amount removed] limit is for personal account if I’m not mistaken, what if I use business account and transfer more than xxxxxx[amount removed], will they still call for verification?

yes they will call even if its business and if you go over the limit.

you need a full info login

yes they will call even if its business and if you go over the limit.

U mean xxxxxx[amount removed] limit? Even I use business and transfer more than xxxxxx[amount removed] they still call? Do I need to change the phone number since they’ll call the phone number registered on the file?

Of course, we wouldn’t want the account holder verifying shit now do we

xxxxxx[amount removed] is limit do about xxxxxx[amount removed] change the phone on the login what i do is change the mobile to my mobile and the house or landline i delete 2 number and add 2 so the number is invalid so bank calls mobile.

thanks

I think what u’re trying to say is that cash it b4 12.00pm second day so even they call later and the money has already been cashout. But aren’t that they won’t add the transfer to your drop before the any verification is confirmed?

——————-

Eric Sites
VP of Research & Development
Sunbelt Software

eEye has released a patch for the active IE zero day exploit:

Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw. Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation [my emphasis].

Link here.

Yup, I agree. Don’t bother using this patch — turning off Active Scripting in IE is a valid mitigator. Microsoft will have this patched on (or possibly before) April 11.

Alex Eckelberry
(Hat tip to Andreas)

CastleCops and Sunbelt Software are announcing a new anti-phishing community, the Phishing Incident Reporting and Termination (PIRT) Squad. This will be a community at CastleCops solely dedicated to taking down phishing sites. It’s the first public takedown community that I know of, and we are going to start nailing these sites. You can read the press release here. Zdnet article here. You can register to help us here.

The PIRT Squad works as a complement to existing organizations such as the Anti-Phishing Working Group (APWG). The primary difference between PIRT and other organizations is that PIRT is focused solely on aggressively terminating phishing sites. PIRT will work with other security organizations and, if necessary, law enforcement, to provide information for security and forensic analysis.

With this new service, you can report a phish via email or through a web tool. And we’re recruting volunteers to help, too.

But here’s a little background: A while back, Paul Laudanski and I worked together to shut down a phishing site on a financial services company. What did we do? We called them aggressively by phone. We contacted their ISP. We contacted the brokerage firm they used to clear their orders. In just a few hours, the thing was shut down.

This got us talking about the problem of phishing. Very few people report these phishing sites immediately and get them shut down. There’s a lot of experts involved in phish fighting, but they’re primarily dealing with the important security research and forensics angle of the business.

There are companies like Cyota, who contract with financial institutions to protect them from phishing, and they do takedown. Maybe their clients’ sites get taken down. But those who aren’t their clients? What happens?

This situation brings to mind those old TV shows, where a camera crew would have someone pretend to break into a car on a busy street, and no one around would call the cops. It’s not because no one cared, it’s because all the neighbors assumed someone else must be calling. So, no cops were called.

Well, it’s a relevant analogy for phishing. There’s an obvious solution to shutting down a phishing site that many people don’t realize they can do: Contact the site or the ISP or the compromised siteowner In my experience, by aggressively going after phishing sites, you can shut down a significant portion of these sites — perhaps 40% or more — by simply taking action. This may not seem like a large number, but it’s pretty significant if you realize how many people you can help.

I’ve been testing this over the last couple of months: From time to time, I’ll contact someone related to the site to let them know that their site is being used for a phishing scam. In a fairly significant number of cases, I’ve been the first and possibly only one who ever contacted these people. It’s usually something that only takes me a few minutes, but it is effective in a large number of instances.

You see, most phishing operations run off of an innocent compromised site. Phishers, for obvious reasons, don’t want to let the world know who they are, so they find sites with poor security (almost always Apache-based sites that have poor configurations or old Apache versions), hack in, set up shop and do as much business as they can before they are shut down.

This even occurs with keylogging operations. Recently, we came upon an elderly lady running a site about flowers who had a full keylogging operation running off her site. Sending her emails was ineffective, so I simply looked up her name using whitepages.com, called her personally and told her what was going on. We helped her through the process of shutting down the compromised portion of her site, getting things back in place, and now a few less people will be affected by this keylogger. And just this past weekend, I worked on a takedown of a real-estate site with the zero day exploit. I was the first person to contact the realtor, and she took fast action to fix it. So one person can make a difference.

And that’s why Paul and Robin Laudanski and I decided to start PIRT. And we’re recruiting volunteers. Paul has even created a tool, Fried Phish(tm), which you can use to make phishing reports. Join here. An introductory Wiki (a work in progress) is here.

You can help fight phishers as well, with just a basic knowledge of how the Internet works. If only 10% of the people who read this blog reported one phishing site a day, it would actually make a dramatic impact.

So join Paul and me and become a Phishing Terminator. Click here.

Alex Eckelberry

Digg this story.

You can try using CounterSpy to remove Spyware Quake (free trial). We have also posted a manual removal process here (thanks to Sunbelt security researcher Adam Thomas for his work on this).

Also, there’s various user comments here and here, and SpywareWarrior is always a good place to go for discussion on these types of things.

Alex Eckelberry

IAC (the company behind Ask.com, etc.) has launched a new shopping service.

Now Barry Diller’s company, IAC/InterActiveCorp, among several others, is giving this kind of shopping software a revival. The company recently introduced Pronto, a software application that a user downloads at Pronto.com. Once a user clicks on one of the 50,000 merchants in its database, Pronto silently monitors all of a user’s activity on a product page, then shows deals from other merchants on the same items, or similar ones, until it finds a better deal. Then it sends a message prompting the user to click away.

NY Times link here.  

Alex Eckelberry

WebSense has provided an updated list of exploited sites.  It’s growing.

SANs just reported

Just for the sake of clarity, there is an email attachment vector for this exploit that’s not widely reported. I have not seen any reports of it being used at this time. MS’s bulletin, in the FAQ’s, in “Could this vulnerability be exploited through e-mail?”, says it can be exploited if one “open(s) an attachment that could exploit the vulnerability.” ISS obliquely says attacks may occur by “…simply embedding the required logic in specially crafted HTML emails.”.

The full extent of email as an attack vector is not fully known.  Best thing you can do is turn off Active Scripting in IE (IE 7 beta preview 2 is not affected by this exploit), as according to SANS, this may be a “global” workaround. 

Alex Eckelberry

The currently active IE zero-day exploit can be avoided by turning off Active Scripting (among other solutions).  However, not everyone may know how to do this.  George Ou has done the dirty work and posted a step-by-step instruction on what to do.  Link here.

Alex Eckelberry

Updated info with fix here.

There is a new rogue Anti-Spyware application out there serving as a replacement for Spy Falcon and SpyAxe.

Spyware Quake is installed through the infamous VCodec trojan as well as various exploits.

WHOIS Information:

Domain Name: SPYWAREQUAKE.COM

Registrant:
SafeSurf LLC
Kevin Gerad (Whois Privacy and Spam Prevention by Whois Source)
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332

In addition to just a stealth install of Spyware Quake, an infected machine will exhibit other unwanted symptoms such as Internet Explorer browser hijacks, a stealth installed “Security Toolbar”, and pop-up advertising that is often adult in nature. Also commonly seen is pop-up advertising for WinFixer.

Adam Thomas
Spyware Research

Update: Email may be an attack vector.

From WebSense:

As reported we are actively researching the newest IE zero-day exploits that are surfacing (s: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=449). To date we have discovered nearly 100 unique URL’s that are all attempting to run malicious code on the users machine without user-intervention.

One interesting aspect we are researching is the number of machines that appear to have been compromised here. The sheer percentage of sites that are compromised versus owned by the attacker is higher than usual. In particular we have noticed several travel related websites that are hosted on different networks.

Link here.

I don’t want to spread undue panic. This is not like the WMF exploit, which had the cruel aspect of using a graphic file to execute a payload. This fact broadened the attack vectors to graphics embedded in emails, graphics being viewed through Google Desktop, etc. This is not the same type of exploit.

However, we concur with the good folks over at WebSense — a lot of sites that we examined with this vulnerability are legitimate sites that have been compromised. It’s not just the usual porn and crack sites that some users go to.

There is no patch available for this exploit. The only way to avoid it is a) turn off Active Scripting or b) use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected). Your standard protections should be in place — antivirus, firewall, antispyware. Your antivirus program may catch it, but don’t count on it in the near future, as AV vendors themselves are in the process of getting out new definitions.

Alex Eckelberry

Beat ‘em up.

Manager of the company’s software department, Andrei Smirnov, offered to fight the dealer in a fitness center. He defeated the computer pirate 24-16 in three rounds, lasting three minutes each. The dealer’s name was not revealed, News.Ru web edition on high technologies reported on Thursday.

Link here.

Alex Eckelberry
(Thanks John)

Pamela Parker at ClickZ muses about adware:

Let me start by saying I don’t think adware is a bad thing. Definitions differ, but I’ve always used the word adware to mean ad-supported software, which includes things like AOL’s AIM and WeatherBug. As far as I’m concerned, so long as users understand they’re seeing ads in exchange for getting free software, that’s just fine. Transparency is key.

That said, the word adware has long some sinister connotations, and for good reason. Even some of the more upstanding of adware companies have somewhat shady pasts — pasts full of questionable distribution methods, associations with disreputable software providers, a lack of disclosure and much consumer ill-will. A history like that can be very hard to leave behind.

Putting WeatherBug, AIM and (ostensibly) Eudora’s free ad-supported version in the category of adware is actually incorrect.  Ad-supported software is different that adware.  Adware exists with the primary purpose of providing advertising.  Ad-supported software (like Eudora) exists for the purpose of supporting the vendor, but the primary purpose of the application is not advertising.  Eudora is an email program.  It has banner ads.  It is not WhenU SaveNow, 180Solutions Zango, Direct Revenue BestOffersNetwork, etc.  (Getting definitions on adware is also interesting).

You can read Pamela’s article here.

Alex Eckelberry

19 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. Our analysis of one site, www(dot)textrum(dot)se (since shutdown):

The exploit calls a file, updater.exe

Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32Updater.exe.
* Creates directory C:WINDOWSSYSTEM32kazaabackupfiles.
* Creates file C:WINDOWSSYSTEM32kazaabackupfilesdownload_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLMSoftwareMicrosoftWindowsCurrentVersionRun”.
* Modifies value “Dir0″=”012345:C:WINDOWSSYSTEM32kazaabackupfiles” in key “HKCUSoftwareKazaaLocalContent”.

[ Network services ]
* Connects to “[redacted].com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname [redacted]
* IRC: Uses username [redacted].

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:WINDOWSSYSTEM32Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

Logs information to: C:WINDOWSsystem32sys.ini

More work going on… may post more later.

Based on what we’re seeing in the wild right now, we hope that Microsoft will patch this new IE exploit prior to April 11 (the next scheduled update).

Keep your AV and antispyware updated and run your software firewall (free suggestions here). The only valid workaround for this patch is to turn off Active Scripting in IE, or use another browser. Your AV may very well catch these nasties, but don’t count on it in the immediate future.

Alex Eckelberry

Shameless salesmanship, but I figure it has to be said:

When we launched the Kerio Firewall under our own name, we put in place an intro price of $14.95, a ridiculously cheap deal for a full-featured firewall.  The offer ends on the 31st, at which point it goes up to $19.95 (still a great deal), so if you want it, grab a free download, do your eval and pick it up before the end of the month.  Link to download page here.

Alex Eckelberry

From the CDT:

CDT is urging Sens. Max Baucus (D-Mont.) and Mark Pryor (D-Ark.) to withdraw a bill that would force Internet authorities to create a “.xxx” domain for adult content. In a letter sent this week to the Senators, who co-sponsored S. 2426, the Cyber Safety for Kids Act of 2006, CDT warns that the bill will provide ammunition for those seeking to bring the Internet under the control of a multi-governmental bureaucracy. If passed, the bill would also violate the First Amendment rights of Web site operators and would do little to protect children from harmful material online, CDT wrote. March 24, 2006

Link here.

Alex Eckelberry

At the ASC workshop back in February, I met with one of the folks at Blue Coat, and found out that they are providing a free web filtering product for home use.  I tested it, and it’s not bad (considering the price).  The version I tested doesn’t compare to more advanced products like CyberPatrol and Cybersitter, but considering the price, it’s not a bad deal   Note that Microsoft has announced plans for free web content filtering.

The link for the free K9 version is here.

Alex Eckelberry

As many of you know, there is proof of concept code for a recently published IE vulnerability in the wild. 

From SANS:

Folks, as Lorna predicted yesterday, it didn’t take long for the exploits to appear for that IE vulnerability.  One has been making the rounds that pops the calculator up (no, I’m not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive).  For that reason, we’re raising Infocon to yellow for the next 24 hours. 

As SANs says, Microsoft recommends turning off Active Scripting.  You can also switch to Firefox or Opera.

We are watching very carefully out there for any sites using this exploit.

Alex Eckelberry

One of the free services we’ve been offering IT professionals for years is our user forums.  Focused on IT issues, they are valuable if you’re job is running a network, or if you’re involved in network security.   We have a lot of professional on these forums and some of these lists are very active.  

The most active lists are the NTSYSADMIN list and MS Exchange Management Issues.  These are a good starting point for someone who wants to get into communication on general IT issues.

NTSYSADMIN Subscribe Read Charter/Login	5,100+ Members – Sunbelt Software hosts this list to invite the free and open discussion of Windows NT System Administration Issues. This list is intended to be a forum to discuss how to keep NT Servers up and running in a production environment. NOTE: High Traffic
MS Exchange Management Issues Subscribe Read Charter/Login	3,600+ Members – Sunbelt Software hosts this list to invite the free and open discussion of Microsoft Exchange Administration Issues. This list is intended to be a forum to discuss how to keep Exchange up & running in a production environment, and as help to pass the Exchange Certification Exams. NOTE: High Traffic

Feel free to join one of our lists.  A full description of all the lists is here.

Alex Eckelberry

Bill Day, CEO of WhenU, wants ad buyers to be intelligent about their media buys — not just walk away from adware completely. 

So what’s a buyer to do? You could simply abstain from all adware (and to be consistent, maybe abstain from working with all behavioral targeting or even all advertising networks whose analytics and third-party tracking cookies raise concerns while you’re at it). As thought leaders, we can’t operate successfully by making simplistic decisions; successful online marketing involves a certain amount of pioneering. But how do you strike the right balance?

Now, realize that the media buying side of the ad business dominated by harassed and overworked 20–somethings.  It is a lot to ask of anyone in that position to make a decision with any granularity (“let’s see, this one adware company has a long writeup from Ben Edelman and has practiced a number of illegal drive- installs, while this one is different, because they have full disclosure and consent, however Eric Howes wrote a whitepaper which criticized several aspects of their business…”). 

So ad buyers need a simple solution, which is why the ad business loves the TRUSTe Trusted Download Program.  It makes buying a simple binary decision for ad buyers — “oh, it’s certified?  Then I can place ads in it”.  Of course, in the end, it is a validation of the adware business model…  (see a recent Sunbelt posting about TRUSTe here).

But here’s a direct reference to an adware company (We All Know of Whom He Is Speaking):

Be especially wary of those who defend themselves by accusing the anti-spyware community of being a bunch of ad-hating “zealots” and “fanatics”–most security advocates leading the charge to accountability are thoughtful, dedicated and discriminating professionals who are able to see the difference between hot air and meaningful moves. If hardcore anti-spyware watchdogs can be discriminating, media buyers can be, too.

Link here.

Alex Eckelberry

Must be because Sean Sundwall left.

Altrec, an online store selling outdoor clothing and gear, has “discontinued its experiement with 180solutions indefinitely,” the company said in an email to vnunet.com. The company stressed that the test had been limited in its scope, with Altrec spending no more than $440.

Online mobile phone store Letstalk.com too has cut all ties with the adware maker, chief executive Delly Tamer said in an emailed statement.

And GreetingCards.com had an epiphany:

Lastly GreetingCards.com said that it was unaware of 180solutions’ history of unfair and deceptive practices and has cancelled its contracts with the firm.

Link here with gracious thanks to Ferg.

One assumes this is as the result of the good work on the part of the CDT, who published the dirty details earlier this week.

Alex Eckelberry